CVE-2025-58359

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-58359

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-58359.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-58359

Aliases

GHSA-wgq8-vr6r-mqxm

Published

2025-09-04T23:50:45.746Z

Modified

2026-04-10T05:33:52.319753Z

Severity

6.0 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

frost-core: refresh shares with smaller min_signers will reduce group security

Details

ZF FROST is a Rust implementation of FROST (Flexible Round-Optimised Schnorr Threshold signatures). In versions 2.0.0 through 2.1.0, refresh shares with smaller minsigners will reduce security of group. The inability to change minsigners (i.e. the threshold) with the refresh share functionality (frost_core::keys::refresh module) was not made clear to users. Using a smaller value would not decrease the threshold, and attempts to sign using a smaller threshold would fail. Additionally, after refreshing the shares with a smaller threshold, it would still be possible to sign with the original threshold, potentially causing a security loss to the participant's shares. This issue is fixed in version 2.2.0.

Database specific

{
    "cwe_ids": [
        "CWE-325"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/58xxx/CVE-2025-58359.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/ZcashFoundation/frost

Affected ranges

Type

GIT

Repo

https://github.com/ZcashFoundation/frost

Events

Introduced

2d88edf1623ee29f671a43966aae0bd4ead2ea7a

Last affected

94dba95d8e44974fb4bf4314b1b8eac5844e06b7

Database specific

{
    "versions": [
        {
            "introduced": "2.0.0"
        },
        {
            "last_affected": "2.1.0"
        }
    ]
}

Type: GIT
Repo: https://github.com/zcashfoundation/frost
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

379ef689c733b3d9c80fd409071d4f3af4dafed2

Affected versions

0.*

0.2.0

0.2.1

0.3.0

frost-core/v0.*

frost-core/v0.2.0

frost-core/v0.3.0

frost-core/v0.4.0

frost-core/v0.5.0

frost-core/v0.6.0

frost-core/v0.7.0

frost-core/v1.*

frost-core/v1.0.0

frost-core/v1.0.0-rc.0

frost-core/v2.*

frost-core/v2.0.0

frost-core/v2.0.0-rc.0

frost-core/v2.1.0

frost-ed25519/v0.*

frost-ed25519/v0.2.0

frost-ed25519/v0.3.0

frost-ed25519/v0.4.0

frost-ed25519/v0.5.0

frost-ed25519/v0.6.0

frost-ed25519/v0.7.0

frost-ed25519/v1.*

frost-ed25519/v1.0.0

frost-ed25519/v1.0.0-rc.0

frost-ed25519/v2.*

frost-ed25519/v2.0.0

frost-ed25519/v2.0.0-rc.0

frost-ed25519/v2.1.0

frost-ed448/v0.*

frost-ed448/v0.1.0

frost-ed448/v0.2.0

frost-ed448/v0.3.0

frost-ed448/v0.4.0

frost-ed448/v0.5.0

frost-ed448/v0.6.0

frost-ed448/v0.7.0

frost-ed448/v1.*

frost-ed448/v1.0.0

frost-ed448/v1.0.0-rc.0

frost-ed448/v2.*

frost-ed448/v2.0.0

frost-ed448/v2.0.0-rc.0

frost-ed448/v2.1.0

frost-p256/v0.*

frost-p256/v0.2.0

frost-p256/v0.3.0

frost-p256/v0.4.0

frost-p256/v0.5.0

frost-p256/v0.6.0

frost-p256/v0.7.0

frost-p256/v1.*

frost-p256/v1.0.0

frost-p256/v1.0.0-rc.0

frost-p256/v2.*

frost-p256/v2.0.0

frost-p256/v2.0.0-rc.0

frost-p256/v2.1.0

frost-rerandomized/v0.*

frost-rerandomized/v0.2.0

frost-rerandomized/v0.3.0

frost-rerandomized/v0.4.0

frost-rerandomized/v0.5.0

frost-rerandomized/v0.6.0

frost-rerandomized/v0.7.0

frost-rerandomized/v1.*

frost-rerandomized/v1.0.0

frost-rerandomized/v1.0.0-rc.0

frost-rerandomized/v2.*

frost-rerandomized/v2.0.0

frost-rerandomized/v2.0.0-rc.0

frost-rerandomized/v2.1.0

frost-ristretto255/v0.*

frost-ristretto255/v0.1.0

frost-ristretto255/v0.2.0

frost-ristretto255/v0.3.0

frost-ristretto255/v0.4.0

frost-ristretto255/v0.5.0

frost-ristretto255/v0.6.0

frost-ristretto255/v0.7.0

frost-ristretto255/v1.*

frost-ristretto255/v1.0.0

frost-ristretto255/v1.0.0-rc.0

frost-ristretto255/v2.*

frost-ristretto255/v2.0.0

frost-ristretto255/v2.0.0-rc.0

frost-ristretto255/v2.1.0

frost-secp256k1-tr/v2.*

frost-secp256k1-tr/v2.1.0

frost-secp256k1/v0.*

frost-secp256k1/v0.2.0

frost-secp256k1/v0.3.0

frost-secp256k1/v0.4.0

frost-secp256k1/v0.5.0

frost-secp256k1/v0.6.0

frost-secp256k1/v0.7.0

frost-secp256k1/v1.*

frost-secp256k1/v1.0.0

frost-secp256k1/v1.0.0-rc.0

frost-secp256k1/v2.*

frost-secp256k1/v2.0.0

frost-secp256k1/v2.0.0-rc.0

frost-secp256k1/v2.1.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-58359.json"